Forum Discussion
ASM Sync Between 2 Data Centers
- Sep 14, 2024
Hi Hawary ,
I got from you this Scenario:
I have Tested it in my Lab and it worked...First you must have a connectivity between all BIGIPs.
Procedures:
Assume we have ( Device 1,2 in DC_A & Devices 3,4 in DC_B )- Reset device Trust for all devices.( because all devices must be under same trust domain , and in your current deployment now you have a trust domain in DC_A and another one in DC_B , so you must Reset it.)
- Build Trust Relationship :
- open BIGIP 1 >>> ( add Devices ( 2,3,4) in the Trust like this:
- open BIGIP 1 >>> ( add Devices ( 2,3,4) in the Trust like this:
- Go to Device Management >> Devices Tab >>> and review The ( Config sync , Failover ) for each device or configure them properly for each device ( For example you need to add a config-sync IP that can be reached from all BIGIPs to be able to do SYNC )
- After That, deploy your current scenario >> Go to Device Groups TAB and Configure the below :
- In Device 1 " which is in DC_A "
- Configure a Device Group ( SYNC-Failover ) type , Manual sync with incremental.
- Move just only Devices (1,2) from available box to includes box like this:
-
- In Device 3 " which is in DC_B"
- Configure a Device Group ( SYNC-Failover ) type , Manual sync with incremental.
- Move just only Devices (3,4) from available box to includes box like this:
-
- In Device 1 " which is in DC_A "
- Now, you returned and Kept your current scenario ( 2 Datacenters , each one has an HA pair ( Active/Standby ) ) Test your config Sync between pairs >> it should Work as expected, so that's fine till now , in the next step the new configs which you want to implement.
- Return to Device 1 and configure the below:
- Configure new Device Group ( open Device management >> Device groups tab >> Click Create )
- This Traffic Group will only be related to ASM Configs synchronizations, so configure it as follows:
- Give a name , Type : Sync-only , Manual with Full Sync "you will change it to automatic after making the initial sync manually" , add all of the 4 devices >> move them from available to includes.
- Go to ( Security Tab >> options >> Application Security > Synchronization > and choose the previous/newly device group that related to ASM Sync only, like that:
- Go to overview (Device management >> Overview ) tab and make the initial sync manually.
- After That, Return back to Device groups TAB and then open the ASM Device group policy , and change it from manually to automatic Sync with incremental if you want that, you can leave it manual if you require to do the manual sync with each change in ASM policies, so the ASM Device group will be like this:
>> Now, you are done and you have the following :
- HA pair ( Active/Standby ) in DC_A & HA pair ( Active/Standby ) in DC_B
- you can now Sync only ASM Policies Updates from DC_A to DC_B and visa-versa ( Manually sync or Automatic Sync ) if you wish.
I have Tested it with all scenarios and it worked with me.
Please Test it and let me know your comments.Good luck 😉
Hi Mohamed,
I have tried to build your scenario and it worked with me.
However, I have 2 questions
- The ASM policy sync from one to another was delayed about 1-2 minutes after it was completed.
- Just ASM policy sync into another, how can I sync BOT and DOS profile?
Thanks for your sharing!
Hi Kyr ,
you're welcome,
For the Delay >> take a packet capture on HA Vlan/port, then trigger the HA Sync and see timestamps for HA sync configs between the two devices,
but this scenario shouldn't make delay,
try to disable ASM Sync and let just LTM Sync group and check.
For BOT and DoS yes you're right DoS and BOT don't support Sync-only device group it just L7 AWAF Policies, so you need Sync-Failover for DoS and BoT Defense profiles
Have a look here > https://my.f5.com/manage/s/article/K22154255
Thanks
- KyrDec 03, 2024
Altostratus
Hi Mohamed,
Thank you for your reply.
So I am going to apply this scenario to the production environment.
Do you have any advice for me? Which step must be done carefully?
Thank you and have a nice day!
- Dec 09, 2024
Hello Kyr,
no further steps.
Just make sure to take the UCSs and master Keys from your BIGIPs.
it's sufficient that it tested in your lab and worked so you can proceed and let me know.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com